managing powershell dsc with puppet
Post on 16-Jan-2017
Embed Size (px)
Puppet Labs - Sales Presentation Deck - 4Q FY16
Managing PowerShell DSC with Puppet
Ethan BrownTechnical Lead, Windows Engineering
James PogranSoftware Engineer, Author of Learning PowerShell DSC
My name is James Pogran. I've been working on automating systems on the Windows platform for over 14 years. Now I'm a developer at Puppet Labs working to make automation in Windows even better.
I used PowerShell DSC at my last job to deploy a large client/server application in production. There was no documentation at the time, so I wrote my own book called Learning PowerShell DSC, to help others who were struggling with DSC.
While you can use DSC on it's own, it's so much better with Puppet. Today I will be talking about using Puppet and PowerShell DSC together, what the benefits are, and provide some real world use cases.
AgendaHow Puppet Enterprise worksWhy Puppet and DSCDemoPuppet Labs Windows supportResourcesQ&A
Our software automates the provisioning, configuration & ongoing managementof your machines & the applications, services & software running on them.
Our software helps you automate the configuration and ongoing management of your machines and the software running on them, so you spend less time fighting fires and more time deploying great software.
We help you make rapid, repeatable changes and automatically enforce the consistency of systems and devicesacross physical and virtual machines, on prem or in the cloud. 3
How Puppet Enterprise Works
Why Puppet and DSCUse the skills you have to do moreDSC and Puppet: Best of both worldsTracking and reporting on change
Thanks for that great introduction to Puppet. We have covered why Puppet is important tool to have and how it works, but why should you use Puppet and PowerShell DSC?
Whether you are new to Puppet or have been using it for years, there are lots of reasons for using Puppet and DSC together.
Today we are going to talk about three reasons Puppet and DSC can work together to enable you to do more. I will go over each reason in more detail as we proceed, but Ill quickly summarize the points right now.
Puppet enables you to use the skills you already have to do moreThe Puppet DSL is similar to DSC syntax, so you can get up and running quicklyYou can migrate a DSC Configuration script to a Puppet manifest with just a few text editsOverall there is less code when you use them together
With DSC and Puppet you get all of the advantages of both worldsThere are thousands of resources made by Puppet, Microsoft and the community that you can use right awayYou immediately become able to handle multiple platforms that cover your entire environmentPuppet provides rich management capabilities that you can layer on top of DSC, including node classification, status of nodes, role based access control, and more
Tracking and reporting on change becomes easierKnowing when something broke is just as important as knowing when something succeededReporting is a must have for have any company that has to do any kind of compliance auditing
Now that was a quick run through. Lets go through these one by one
Use the skills you have to do moreMigrate a DSC Configuration script to a Puppet manifest with a few text editsPuppet DSL is similar to PowerShell DSC syntaxLess code when used together
First off, doing more with less sounds like a clich, but it's a fact of life for any sysadmin or developer. Time and resource constraints necessitate flexibility and resourcefulness.
You will get productive fast with Puppet and DSC. Converting an existing PowerShell DSC Configuration script to a Puppet manifest is just a few text edits.
With Puppet you can take your existing PowerShell DSC skills and knowledge and apply them directly to fixing the problem at hand without having to learn everything upfront. As you do more, you can delve deeper, but you can get going quickly.
Oftentimes a Puppet manifest has less code to write than a PowerShell DSC configuration script. Well see more of how this works later in our demos.
Lets get started
Converting DSC Configuration to Puppet Manifest
On the left is a PowerShell DSC configuration script, on the right is a Puppet manifest. It is a direct port from the DSC script. In it we are compressing a log directory and ensuring that a file is present on the file system with specific text inside it.
If you're new to Puppet but PowerShell is familiar, you'll be right at home using the Puppet DSC module. Even if you are not familiar, its so human readable that you can see whats going on right away.
DSC works a lot like Puppet in many ways: it's declarative, uses a similar syntax, and similar terminology. Right away, you can see that there are only a few syntactical differences you need to account for when migrating to a Puppet manifest.You have to add a dsc_ prefix to all resource declarations and to all parameters.Your equal signs turn into hash rocketsCommas are added at the end of each value
These are simple, short changes that make sense. The syntax is so similar, there isn't any cognitive dissonance. Switching from a PowerShell DSC Resource to a Puppet module declaration is really just a few text edits and then youre done.
Youll start to notice that there is less to write using Puppet. No configuration blocks to add, no DSC Resource module import declarations to keep track of, just the individual components you need.
All PowerShell DSC types are supported, including base types like integers and Booleans, complex types like PSCredentials and any custom type bindings that you may use.
Now that we have covered how to transition to a Puppet manifest using DSC, well talk about what you can DO with Puppet and DSC
DSC and Puppet: Best of Both Worlds200+ DSC Resources made by Microsoft and the community4000+ modules made by Puppet and the communityInteroperable with multiple platforms
A key part of any sysadmin or developers life is re-using good tools and code. If there is something good out there, use it. If someone else has already solved the problem, use their solution. We stand on shoulders of giants when we work together.
Thats why the Puppet DSC module enables you to use the 200+ PowerShell DSC Resources that have already been released and tested by the PowerShell community. Some of these resources cover scenarios not yet addressed by Puppet, providing immediate value. Like Lego pieces, you can mix and match the DSC Resources and Puppet modules to address any situation you encounter.
And when you come to something that DSC cant do yet or a platform that it doesnt yet support, you can look toward the existing 4,000+ Puppet modules to have your back. Puppet supports almost all OS and platforms under the sun: Windows, Linux, Network devices, storage arrays, etc, allowing you to cover your entire environment using first class modules and best practices.
Lets look at a real world example showing how you can mix and match DSC and Puppet to get the job done
Best of Both Worlds: Immediate ValueSolving problems using the strengths of Puppet and DSC
DSC is a powerful platform, but its a new technology. Like many new products, it needs to choose which features to implement first. Like Jeffey Snover says, to ship is to choose. This is not a bad thing, its focusing on delivering value first and getting it right. Then fill in the edges as time goes on. This does result in some waiting, but as we will see in a moment we can address that now.
In this slide we see a PowerShell community member asking for the ability to restart a service when its configuration file has changed. Dave Wyatt, one of the maintainers of Pester, replies that its a big wishlist item for him, and that he currently works around it by using a Script DSC Resource. Its a good workaround, but you have to do all the work to ensure the Script DSC Resource is idempotent, i.e. that it only changes the state of the system if it is not in the desired state. Its extra work for you, and something that isnt portable. You will have to modify it for every individual service.
While we wait for the shipping cycle for PowerShell DSC, we can use Puppet WITH DSC to solve this problem right now.
Here we are installing the awesome Foo Product software on our target node using Puppet and PowerShell DSC. Foo Product has a configuration file it uses which allows users to change certain behavior in the program. We need to update the configuration file after the product is installed, which requires us to restart the service.
We model this by declaring a PowerShell DSC Package resource that will handle installing the MSI for us.
We then use a Puppet File module to ensure the file is present on the target node, and contains the exact text we want.
Lastly we set the Puppet Service module to ensure the service is running.
Notice the line in the File declaration where it says it will notify the Service module. This means that if the File module changes anything, it will send a notification to Puppet to tell the Service module to perform a refresh. The Service module doesnt know anything about the config file, or when it changes, it just receives the notification from Puppet that it needs to refresh, or restart. These change notifications, along with many other features make Puppet a really powerful way to model and control change in your environment.
Lets run this example now.
This was a nice simple example, but doesnt really show anything too fancy. Lets move onto something more complicated.